0

I set up mod_evasive on Apache/2.4.18 using this guide: https://komunity.komand.com/learn/article/server-administration/how-to-configure-modevasive-with-apache-on-ubuntu-linux/

I only changed email@yourdomain.com to root@localhost.

The first time I used test.pl it worked, but every remaining time it only shows HTTP/1.1 400 Bad Request. I'm not sure if I accidentally changed anything, but here's my test.pl.

#!/usr/bin/perl

# test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
    my($response);
    my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
                                        PeerAddr=> "127.0.0.1:80");
    if (! defined $SOCKET) { die $!; }
    print $SOCKET "GET /?$_ HTTP/1.0\n\n";
    $response = <$SOCKET>;
    print $response;
    close($SOCKET);
}

Because it worked the first time, shouldn't there be a log of it? I checked /var/log/mod_evasive/ and it's empty. In syslog there is also no mention of mod_evasive. There is only root in /var/mail/ which hasn't received a mail of mod_evasive either.

Could it be because I'm redirecting http to https? I setup a Redirect permanent / https://mydomain.example in 000-default.conf.

MWin123
  • 101
  • 2
  • 2
    mod_evasive is not actively maintained. Perhaps you should not be using it any more. Use IDS/IPS or firewall. – ezra-s Aug 07 '17 at 15:22
  • @ezra-s Oh, that might explain it. I was following this "How to secure an Ubuntu 16.04 LTS server" guide: https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics I have ufw & fail2ban installed, does that replace mod_evasive? – MWin123 Aug 07 '17 at 17:10
  • 1
    Imo, It's not a matter of "replacement". Think of it as, using the tools you need for the purpose you want. In any case, I'd never use httpd modules (third party or not) to do the job of a firewall or ids/ips. Each layer has their suitable tools for the job, and using a http server for blocking ips dynamically just does not fit very well. – ezra-s Aug 07 '17 at 18:12
  • @ezra-s I'm just trying to secure my VPS that I mainly use for Nextcloud which may contain sensitive data. While I tried to test mod_evasive with a DOS attack the MySQL database crashed, I think it ran out of ram. So if one person could completely deny me access to my website, that would be bad. But I guess fail2ban should prevent another DOS attack? – MWin123 Aug 07 '17 at 18:22
  • set a firewall that will limit too many incoming connections/data, change ports, make honeypots, etc.. this may be more suitable for a security forum. – ezra-s Aug 07 '17 at 18:36
  • @ezra-s Isn't adding (temporary) rules to iptables the point of fail2ban? I guess I could change the ports of HTTP and HTTPS, but that would break all browsers that visit domain.example. A honey pot would just make it easier to DDOS me because my VPS wouldn't be able to handle the additional traffic and I think honeypots are against the ToS of my hoster. I'll have to do some reading about fail2ban, but it seems like it offers a profile for apache. Protection for sshd is already enabled. – MWin123 Aug 07 '17 at 18:57
  • It is a problem of perl script test.pl https://stackoverflow.com/questions/51172923/mod-evasive-not-working-on-apache-2-4-6 – Bob Bedinsky Jun 30 '20 at 09:05

1 Answers1

0

the problem depends on test.pl

rewrite the line

print $SOCKET "GET /?$_ HTTP/1.0\n\n";

as

print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";

From https://centosfaq.org/centos/apache-mod_evasive-problem-with-testpl/

Bob Bedinsky
  • 33
  • 7